I'm here to suggest that you set minimal permissions to your GitHub Workflows, because currently they don't specify the permissions for their jobs and their privileges are being determined by GitHub's defaults. If you define minimal permissions, you would be secured against erroneous or malicious behaviours from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
Since it's a very simple change, I'll raise a PR following this issue and I'll be easier to evaluate the modifications =)
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊
keegancsmith
commented
1 year ago
Hi!
I'm here to suggest that you set minimal permissions to your GitHub Workflows, because currently they don't specify the permissions for their jobs and their privileges are being determined by GitHub's defaults. If you define minimal permissions, you would be secured against erroneous or malicious behaviours from external jobs you call from your workflow. It's specially important for the case they get compromised, for example.
Setting minimum permissions for workflows is recommended by GitHub itself and also by other security tools, such as Scorecards and StepSecurity.
Since it's a very simple change, I'll raise a PR following this issue and I'll be easier to evaluate the modifications =)
Context
I'm Diogo and I work on Google's Open Source Security Team(GOSST) in cooperation with the Open Source Security Foundation (OpenSSF). My core job is to suggest and implement security changes on widely used open source projects 😊